S
SergiyRX
Hi Community!
This topic is about poor write performance of Bitlocker-enabled external USB 3.x attached SCSI SSD drives (so called UAS drives) that are gaining popularity these days.
I trigger this topic because I found information available on the Internet too contradictory and misleading, and because of growing number of UAS SSDs on the market. The devices are typically equipped with some sort of SandFprce or Phison controllers, so they operate much like SAS SCSI drives. Peculiarly, since USB 3.x provides double simplex transfers, in theory (if supported in Windows 10, of which I am not sure) the devices should be capable of simultaneously read and write with little speed downgrade.
When people complain about “something is wrong” with their Bitlocker enabled drive, they lack “system and methodology”, because what is applicable to one drive is not applicable to another or the same drive in different circumstances. Hereby I give you a method of correctly testing and comparing the performance of the external USB 3.x attached SCSI SSD drives which cannot alter the true results and mislead interpretations. (Like the guy who run the test on a PC with 64 GB DRAM and test file size of 32 GB therefore actually measured performance of cache and not Bitlocker itself). Once you stick to the procedure described, you will not make such the mistakes.
This procedure applies to Bitlocker encrypted volumes on external SCSI SSD drives connected through USB 3.x serial bus to Windows 10 64 Professional / Professional for Workstations machines, builds 1605 and above;
For this procedure the following conditions are true:
- The CPU of the machine has included set of Intel New AES instructions, providing at least 5 G-ops for encryption/decryption performance in hardware, total for all the cores;
- The sustained DirectIO mode (Windows caching disabled) speed of the SAS attached USB 3.x drive should be above 400 MB/sec for both write and read random patterns, latency below 0.03 ms, when tested blocksizes are above 256K according ATTO and test file size should be double of the system physical memory. So we know for sure UAS is enabled and operating.
- The drive should be set as "Removable" in the policy. This is a precaution to prevent the OS to intervene into the IO flow and caching.
Now the Bitlocker performance measure procedure:
- Create a new NTFS volume on the drive with size of quadruple of system memory size (physical). So t.ex. for 8 GB system memory we create a volume 32 GB.
- Ensure that hardware encryption on the drive, if any, is disabled in GPO. For me t.ex, with new Corsair Voyager GTX 512 GB, there is no encrypting processor on the drive, as the controller of the disk is Phison (no compression or encryption).
- Create another volume next to it, of the same size and type of filesystem as the previos. This second volume will be our reference.
- Enable BITLOCKER for the first volume and fully encrypt it with new XTS 128 bit AES (default for new versions of Windows 10) and not the "compatible mode". Do NOT use "Bitlocker On The Go", encrypt the whole volume NOW. Do not enable the Bitlocker on the reference volume.
Well, if you correctly reproduced the bench, you will have a Bitlocker volume on your external drive with assigned letter, and another volume with another assigned drive letter, so move on and open ATTO.
- Pick up the second (unencrypted) volume by the assigned letter. Select queque depth of 8, Direct IO mode, IO overlapping as test parametes and full range for the block sizes. Set test file size to be half of the volume size.
- Run the test and save the results.
- Now, do the same for the Bitlocker encrypted drive. Save the results
The outcome.
You will immediately notice how performance drops when BitLocker is enabled. This is especially noticeable for large block sizes.
Pick up t.ex 4 Mb block size random write speed from the results set for unencrypted volume and divide it by the same result for the Bitlocker encrypted volume.
For me the performance degradation is severe: this ratio is as large as 4 on NTFS and up to 7 for ReFS; To underline, this is for the whole encrypted volume.
Discussion.
Till now, nobody told us how much actual data the Bitlocker writes physically to disk when System writes to Bitlocker some given portion of data. What is the aspect ratio of the two? With the hardware AES support on new Intel CPUs the encryption overhead is minimal, a matter of percents;
But ratios this high for AES writing operations might tell us that Bitlocker writes 4-5 times more to the physical layer that it writes on the System level, hence the performance drop.
Is that normal, is that “by design”?
Can you share you results acquired according this procedure for you drive?
Can you report your model name/ capacity with the result of the test?
It seems that something is not clear with the latest implementation of Bitlocker when it comes to real-world performance with external USB 3.x UAS SSD drives. Do you agree?
What is your opinion on the topic? Would you suggest some additional testing/ GPO settings/ configurations to test this issue more completely and are you aware of the way how to fix it, if you believe it is possible?
Do you agree that sustained write performance for 450+ MB/s capable device at 100+ MB/s with Bitlocker enabled is a shame? For comparison, VeraCrypt provides Three Level Nested Encryption at such the write speed on the same drive and volume!
Thank you everybody who reads this and share your thoughts and results.
Thank attached are ATTO test for the same volume on the external USB 3.x UAS SSD Bitlocker encrypted vs. Unencrypted (NTFS)
Regards,
Serge
Continue reading...